我是SAML和ADFS的新手。我试着谷歌搜索我的错误,但遗憾的是没有得到任何命中。我一直在尝试设置Spring SAML和ADFS,因此我可以通过关注this guide来获得单点登录工作。看起来我接近结束但是我遇到了以下错误: Response没有任何有效的断言可以通过主题验证
Strack trace:
[#|2015-10-29T08:03:43.334+0100|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=1689;_ThreadName=Thread-2;|- AuthNResponse;FAILURE;fe80:0:0:0:e1fd:739e:9d4e:8883%14;https://nkr-beh1:18181/saml/saml/metadata;http://NKR-AD.adm.kulturrad.no/adfs/services/trust;;;org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation
at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229)
at org.springframework.security.saml.SAMLAuthenticationProvider.authenticate(SAMLAuthenticationProvider.java:82)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:84)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:217)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:279)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231)
at com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:860)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:757)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1056)
at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:229)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59)
at com.sun.grizzly.ContextTask.run(ContextTask.java:71)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513)
at java.lang.Thread.run(Thread.java:745)
我检查了代码,它应该从响应(ADFS)获取断言,如果这是null,则抛出错误。我想这意味着我的ADFS遗漏了一些东西,或者我误解了断言是什么?
答案 0 :(得分:1)
首先,您应该使用Fiddler跟踪并查看AD FS是否成功发出了令牌。或者,您可以在AD FS端启用审核,以查看已发出的令牌(如果有)。
然后,安全事件日志和AD FS事件日志应确认是否发出令牌或是否已成功发出令牌。
有关审查Fiddler的详细信息,请参阅此处。它是为wsfed编写的,但也有助于SAML。 http://social.technet.microsoft.com/wiki/contents/articles/3286.aspx
此插件也可用于更好地查看令牌。比使用textwizard更容易进行base64 / deflatedsaml解码(如果适用)。 http://social.technet.microsoft.com/wiki/contents/articles/3590.fiddler-inspector-for-federation-messages.aspx
Fiddler将干扰Windows Integrated Auth,除非您按照此链接并禁用AD FS上的扩展保护。 http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-continuously-prompted-for-credentials-while-using-fiddler-web-debugger.aspx
如果您有2012R2,那么您应该
Set-ADFSProperties -ExtendedProtectionTokenCheck None
如果您的应用提供加密证书并且AD FS正在发送加密断言,那么Fiddler将无法提供帮助。在这种情况下,AD FS安全日志和调试日志更容易用于查看发送的确切内容。
这里的目标是查看断言和主题元素。然后检查验证失败的原因。
您可以在此处查看示例断言https://rnd.feide.no/samlexample/simplesamlphp_saml_2_0_authentication_response/。您需要查看AD FS是否成功发出了令牌(检查状态是否成功而不是响应者),并且主题是否符合您的应用验证检查。
答案 1 :(得分:0)
我在使用Srping安全SAML时遇到了同样的问题,解决方案是,当您创建一个MetadataGenerator Bean时,其实体ID集应与Idp Provider中的受众限制(或类似字段)完全匹配,我使用Okta作为Idp Provider,因此受众限制字段已正确配置
答案 2 :(得分:0)
当我收到此错误时,我的日志还包含以下消息:
Decryption of received assertion failed, assertion will be skipped
在调试级别(来自类 WebSSOProfileConsumerImpl),以及:
Error decrypting the encrypted data element
org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size
处于错误级别。
SAML 响应包含:
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
请注意,256 位 AES 加密需要 JCE 无限强度罐。